Re: [webauthn] Device-bound key extension (#1658)

Please forgive me if this is a dumb question or I'm missing a security property here.

Can the device private key sign over just `clientDataHash` instead of `(clientDataHash || userCredentialId)`? I understand the need to "bind" the device private key to a user credential, but I was thinking the RP can just remember which user credential the device private key is associated with the first time it sees it. The fact that the device private key signs over the RP's challenge (in client data) even serves as a proof-of-possession of the private key.

I assume I'm missing something here that I can learn from. Can someone help me understand? Thank you! 😁

GitHub Notification of comment by tylrtrmbl
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Friday, 19 November 2021 01:45:18 UTC